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There is a growing interest in techniques for detecting whether a logic specification is satisfied too 
easily, or vacuously. For example, the specification "every request is eventually followed by an 
acknowledgment" is satisfied vacuously by a system that never generates any requests. Vacuous 
satisfaction misleads users of model-checking into thinking that a system is correct. It is a serious 
problem in practice. 

There are several existing definitions of vacuity. Originally, Beer et al. formalized vacuity as 
insensitivity to syntactic perturbation (syntactic vacuity). This formulation captures the intuition 
of "vacuity" when applied to a single occurrence of a subformula. Armoni et al. argued that vacuity 
must be robust - not affected by semantically invariant changes, such as extending a model with 
additional atomic propositions. They show that syntactic vacuity is not robust for subformulas of 
linear temporal logic, and propose an alternative definition - trace vacuity. 

In this article, we continue this line of research. We show that trace vacuity is not robust for 
branching time logic. We further refine the notion of vacuity so that it applies uniformly to linear 
and branching time logic and does not suffer from the common pitfalls of prior definitions. Our 
new definition - bisimulation vacuity - is a proper and non-trivial extension of both syntactic and 
trace vacuity. We discuss the complexity of detecting bisimulation vacuity, and identify several 
practically-relevant subsets of CTL* for which vacuity detection problem is reducible to model- 
checking. We believe that in most practical applications, bisimulation vacuity provides both the 
desired theoretical properties and is tractable computationally. 

Categories and Subject Descriptors: D.2.4 [Software Engineering]: Model checking 
General Terms: Verification 

Additional Key Words and Phrases: Vacuity detection 



1. INTRODUCTION 

Model-checking gained wide popularity as an automated technique for effective 
analysis of software and hardware systems. Given a temporal logic property, the 
model-checker automatically determines whether the property is satisfied by the 
system, giving a counterexample in case of the failure. 

Yet a major problem in practical applications of mo del- checking is that a suc- 
cessful run of the model-checker does not necessarily guarantee that the intended 
requirement is satisfied by the system [Beer et al. 1997; Beatty and Bryant 1994]. 
For example, consider the property 

"every request must be followed by an acknowledgment" , 

where the environment controls the requests. This property, expressed in CTL as 
AG{req AFack), is satisfied vacuously^ by any system that never produces a 



^Beatty and Briant [Beatty and Bryant 1994] originally called this problem "antecedent failure". 
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request (i.e., req is false in all reachable states). In this case, the environment alone 
ensures satisfaction of this property, so it is true of any system combined with 
such an environment. Intuitively, a property ip is considered vacuous if it contains 
a subformula that is irrelevant for (p's satisfaction by the system. In the above 
example, it is AFack. 

Researchers at the IBM Haifa Research Laboratory observed that vacuity is a 
serious problem [Beer et al. 1997] and that "... typically 20% of specifications pass 
vacuously during the first formal verification runs of a new hardware design, and 
that vacuous passes always point to a real problem in either the design, or its speci- 
fication, or the environment" [Beer et al. 1997]. Further justification has been given 
by several researchers, such as the case study by Purandare and Somenzi [Puran- 
darc and Somenzi 2002]. These results led to a substantial interest in techniques 
for detecting vacuity. 

Most of the early work on vacuity detection uses a syntactic definition of vacuity, 
provided by Beer et al. [Beer et al. 2001]: a formula ip is syntactically vacuous in 
a subformula ip and model K, if replacing ^ by any other temporal logic formula 
X, denoted (f[4> x], does not affect the satisfaction of (/? in K. That is, (/? is 
vacuous if Va; G TL ■ ip[ip ■(— x] is true, where TL stands for a temporal logic. 
The main advantage of this definition is the simplicity of detecting vacuity in an 
occurrence of a subformula. That is, whenever tp occurs in f only once, detecting 
whether if is syntactically vacuous in tp reduces to model-checking ip[ip ^ true] or 
(flip ^ false], based on the polarity of ip. This result started a line of research, 
e.g., [Dong et al. 2002; Kupferman and Vardi 2003; Gurfinkel and Chechik 2004b; 
Bustan et al. 2005; Tzorcf and Grumberg 2006], that aims to increase the scope 
of applicability of vacuity detection algorithms. In particular, this work deals with 
deciding vacuity for various temporal logics, for formulas with one or multiple 
occurrences of a subformula, handling vacuous satisfaction and vacuous failure of 
formulas, and generating witnesses to non-vacuity. 

An orthogonal question, raised by Armoni et al. [Armoni et al. 2003] and contin- 
uing in this article, is to reexamine the meaning of vacuity. Armoni et al. showed 
that the definition of syntactic vacuity is too restrictive. It is not well suited for de- 
tecting vacuity with respect to multiple occurrences of a subformula, i.e., deciding 
whether {AXp) V (AX-^p) is vacuous in p. Furthermore, it is sensitive to irrelevant 
changes to the model. For example, syntactic vacuity of a formula 'if p is true now, 
it will remain true in the next state", expressed in CTL as AG{p => AXp)), can be 
affected, i.e., changed from vacuous to non- vacuous, by simply adding new atomic 
propositions to the model. 

As an alternative, the authors of [Armoni et al. 2003] develop a new definition, 
applicable to linear-time logic, called trace vacuity. Trace vacuity is not syntactic, 
but is based on the semantics of quantified temporal logic. The new definition is 
shown to alleviate the problems of syntactic vacuity (at least on the examples tried 
by the authors). Furthermore, the complexity of detecting vacuous satisfaction for 
LTL properties with respect to trace vacuity is in the same complexity class as 
model-checking. 

In this article, we continue the search for the "right" definition of vacuity, and 
whether this definition changes as we transition from LTL properties to CTL* and 
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from vacuous satisfaction (i.e., vacuity of formulas that are satisfied by the model) 
to vacuous failure (i.e., vacuity of formulas that are violated by the model). In 
particular, we develop a robiist definition of vacuity, which wc call bisimulation 
vacuity. We start with a definition of vacuity for propositional logic, argue that 
it is robust, and then systematically extend it to branching-time temporal logic 
CTL* . Wc show that bisimulation vacuity is a proper extension of syntactic vacuity: 
while syntactic and bisimulation vacuity coincide for vacuity in a single occurrence, 
syntactic vacuity is not robust when applied to vacuity in multiple occurrences. 
Bisimulation vacuity is also a proper non-trivial extension of trace vacuity: while 
the bisimulation and the trace vacuity definitions coincide for LTL, trace vacuity is 
not robust when applied to branching-time logics. 

We study the complexity of detecting bisimulation vacuity. In general, this prob- 
lem is EXPTIME-complete for CTL and 2EXPTIME-complete for CTL*. How- 
ever, we identify several important fragments of CTL* for which vacuity detection, 
or at least detecting vacuous satisfaction, is no harder than model-checking. In 
particular, we show that checking vacuous satisfaction of ACTL* is reducible to 
model-checking, which subsumes the results of [Armoni et al. 2003]. 

The rest of the article is organized as follows. We provide the necessary back- 
ground in Section 2. In Section 3, we examine the meaning of "robustness" of 
vacuity, define bisimulation vacuity, and argue that it is robust. In Section 4, we 
study complexity of detecting bisimulation vacuity for CTL* and identify subsets of 
this language where this problem is tractable. We analyze the relationship between 
vacuity and abstraction in Section 5. We then compare our approach with related 
work in Section 6 and conclude in Section 7. 

2. BACKGROUND 

In this section, we give a brief overview of temporal logic mo del- checking, property 
reserving relations, and several semantics of quantified temporal logic. 

2.1 Models of Computation 

We use Kripke structures to model computations. Intuitively, these are transition 
systems whose states arc labeled by atomic propositions. In this section, we review 
the formal definition of Kripke structures, and fix the notation. 
We use 2 to denote the set of boolean values {true, false}. 

Definition 2.1 Kripke Structure. A Kripke structure K isa tuple {AP, S, R, so,I), 
where AP is a set of atomic propositions, S is a finite set of states, R C S x S is 
a total transition relation, Sq G S is a, designated initial state, and I : S ^ 2^^ is 
a labeling function, assigning a value to each atomic proposition p G AP in each 
state. 

Example Kripke structures are shown in Figures 1 and 3. For two states ,s and t, 
we write R{s, t) for (s, t) € R, and R{s) to denote the set of successors of R: 

R{s) = {t€S\ Ris,t)}. 

For notational convenience, we denote components of a Kripke structure K using 
the same typographical convention as used for K. For example, S' denotes the 
statespace of K', R' - its transition relation, AP' - the set of atomic propositions. 
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Fig. 1. A Kripke structure L and its {3;}-variants £|i and 

etc. A ■path tt of iiT is an infinite sequence of states in which every consecutive pair 
of states is related by the transition relation. Let f be a non-negative integer. We 
write 7r(j) to denote the i + 1th state on the path, 7r(0) to denote the first state, 
and TTj to denote the suffix of tt starting from the ith state. The set of all paths of 
K starting from a state s is denoted by Ilf^ {K is often omitted when clear from 
the context). 

We now define parallel synchronous composition. 

Definition 2.2 Parallel Synchronous Composition. Let ifi = (APi, Si, Ri, si, Ii), 
and K2 = {AP2, S2, R2, S2, 12) be two Kripke structures with disjoint atomic propo- 
sitions, i.e., APi n AP2 = 0. A parallel synchronous composition of Ki and K2, 
written Jl'i||ii'2, is a Kripke structure {APi UAP2,Si x S2,R\\,{si,S2),I\\), where 

((s, t), {s', t')) ^ Ri{s, s') A R2{t, t') 

7||((s,t))=/i(s)U72(i)- 

A computation tree T{K) of a Kripke structure K is an S-labeled tree obtained 
by unrolling K from its initial state. 

Definition 2.3 Computation Tree. Let K = (AP,S,R,so,I) be a Kripke struc- 
ture. A computation tree T{K) of K is an ^-labeled tree {T,t), where T = {V,E) 
is a tree with vertex set V and edge set E, and r : V — >■ 5 is a labeling function, 
satisfying the "unrolling" conditions: 

(1) if is a root of T{K), then t{v) = sq; 

(2) for a node v, \E{v)\ = \R{t{v))\, and for each s e R{t{v)) there exists a 
u S E{v) such that t{u) = s, where E{v) is the set of successors of v. 

A tree unrolling T{C) for a structure C in Figure 1 is shown in Figure 2. Note that 
since £ has only one transition, the unrolling is a unary tree, i.e., a trace. 

2.2 Temporal Logic 

Computation Tree Logic CTL* [Emerson and Halpern 1985] is a branching-time 

temporal logic constructed from propositional connectives, temporal operators X 
(next), U (until), F (future), and G (globally), and path quantifiers A (forall) and 
E (exists). 

Definition 2.4 Syntax of CTL*. Temporal logic CTL* denotes the set of all state 
formulas satisfying the grammar 

(f ::= p \ if A (f \ ipV (f \ -ly I Atl) \ Eip, 



Robust Vacuity for Branching Temporal Logic • 5 

ao ao ao 

T[C) 




nc)u 

Fig. 2. A tree unrolling T{C) of C and one of its {a;}- variant T(£)|i. 



where p is an atomic proposition, and is a path formula satisfying the grammar 



i)::=ip\xi)\i)U i)\i)U i)\F'4}\Gi). 



The semantics of path formulas is given with respect to a path of a Kripke 
structure. For a path formula il), we write K,it \= if) to denote that V' is satisfied by 
the path tt of a Kripke structure K. The semantics of state formulas is given with 
respect to a state of a Kripke structure. For a state formula ^p, we write K,s\= 
to denote that (p is satisfied in the state s in K. 



Definition 2.5 Semantics o/CTL*. Let K = [AP,S,R,sq,I) be a Kripke struc- 
ture. The semantics of path and state formulas is defined as follows, where ip, ip\ , 
and (^2 denote state formulas, and Vi V'i> and V2 denote path formulas, and i, j, 
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and k are natural numbers: 












K,TT \= -itfj ^ K,TT ^ tp 






iiT, TT ^ Vl A l/'2 = ^, TT h Vl A -ft:, 


TT h V'2 




/T, TT [= Vi V V'2 = -ft^, TT h V'l V is:, 


71" ^ V'2 




K,7r \= X^p = K,7ri \= tp 






K,^ \= tplU tp2 = 3j • K, TTj \= V'2 


A VO < i < j • 


K, TTi \= V'l 


KjTT \= Ipl U tp2 = Vj • K, TTj Y= V'2 


30 < i < j 




K,Tr \= Ftp = 3j ■ K, TTj \= ip 






K,TT\=Gilj = yj-K,Trj 1= V 












K,s \= -lip = K,s ^ (p 






K,s \= (fii Aip2 = K,s \= ifi A K, 


S ^ <^2 




K,s \= ipiV ip2 = K,s \= ifiV K, 


S 1= V2 























We say that K satisfies (or holds in K), denoted K \= (f, iS f holds in the 
designated initial state: K,so \= <p- For simplicity of presentation, we use sets 
of states as atomic propositions in temporal formulas, giving them the following 
interpretation: for a set of states Y, 

K,s^Y ^ s €Y . 

We write ip[x] to indicate that the formula cp may contain an occurrence of x. 
An occurrence of x in cp is positive (or of positive polarity) if x occurs under the 
scope of an even number of negations, and negative otherwise. For example, p is 
positive in -'EX^p, and negative in -^EXp. A subformula x is pure in p if all of its 
occurrences have the same polarity. For example, p is pure in EF{pAqAEGp). We 
write p[x <^ y] for a formula obtained from (p by replacing each occurrence of x by 
y. This is equivalent to treating a formula as a DAG with all common subformulas 
shared. 

A formula (p is universal (i.e., in the language ACTL*) if all of its temporal 
path quantifiers are universal, and is existential (i.e., in the language ECTL*) if 
all of the path quantifiers are existential. In both cases, negation is only allowed 
at the level of atomic propositions. For example, AG{p AFq) is in ACTL*, 
and EF{p A EG^q) is in ECTL*. We extend this to subformulas as well and say 
that a subformula is universal if it occurs only under the scope of universal path 
quantifiers in negation normal form of the formula. 
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The fragment of CTL* in which aU formulas are of the form A^jJ, where is a 
path formula, is called Linear Temporal Logic (LTL) [Pnueli 1977] . The fragment in 
which every occurrence of a path quantifier is immediately followed by a temporal 
operator is called Computation Tree Logic (CTL) [Clarke and Emerson 1981]. For 
example, AG{pUq) is an LTL formula, and AGA\p U q\ is a CTL formula. More 
details on temporal logic can be found in [Emerson 1990; Clarke et al. 1999]. 

2.3 Simulation and Bisimulation 

In this section, we review two property preserving relations between Kripke struc- 
tures: simulation and bisimulation. 

Definition 2.6 Simulation. [Milner 1971] Let K = {AP,S,R,so,I) and K' = 
(AP', S',R',Sq,I') be two Kripke structures and X C {APCiAP') a set of common 
atomic proposition. A relation p C S x S' is a simulation relation with respect to 
X if and only if p(s, s') implies that 

(1) I'{s')nX = I{s)nX, and 

(2) W e S' ■ R'{s', t')^3t&S- R{s, t) A p{t, t'). 

A state s simulates a state s' if (s, s') G p. A Kripke structure K simulates K' iff 
the initial state of K' is simulated by the initial state of K. For example, M. in 
Figure 3 simulates C in Figure 1 via the relation 

Pm = {(^o,ao),(6i,ao)}. 

Intuitively, If K simulates K' then K can match every behavior of K' , i.e., the 
set of all behaviors of K' is a subset of those of K. Thus, if K satisfies an ACTL* 
formula, then so does K' . 

Theorem 2.7. [Browne et al. 1988; Grumherg and Long 1994] Let K and K' 
he two Kripke structures such that K simulates K' . Then, for any ACTL* formula 

K \=ip^ K' \=cp. 

A simulation relation whose inverse is also a simulation is called a bisimulation: 

Definition 2.8 Bisimulation. Let K = {AP, S, R, sq, I) and K' = (AP', S', R' , sf,, /') 
be two Kripke structures and X C (APr\AP') a set of common atomic proposition. 
A relation p C 5 x S" is a bisimulation relation with respect to X if and only if (a) p 
is a simulation relation between K and K' with respect to X, and (b) p~^ C S' x S 
is a simulation relation between K' and K with respect to X. 

Two structures K and K' are bisimilar iff there exists a bisimulation relation p 
that relates their initial states. We use B{K) to denote the set of all structures 
bisimilar to K with respect to all of the atomic propositions of K. For example, 
the inverse of the relation p^ above is a simulation as well. Thus, £ and Ai are 
bisimilar. 

Intuitively, if K and K' are bisimilar, then they have equivalent behaviors. The 
theorem below also indicates that they satisfy the same temporal logic formulas. 
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Theorem 2.9. [Browne et al. 1988] Let K and K' he two bisimilar Kripke struc- 
tures. Then, for any CTL* formula ^p, 

K \=(p^ K' \=(p. 

It is possible to extend the definition of bisimulation to infinite-state models. 

Under such an interpretation, a computation tree T{K) of a Kripke structure K is 
bisimilar to K. This is sufficient to show that a CTL* formula cannot distinguish 
between a Kripke structure and its tree unrolling, i.e., K \^ <^ T{K) ^ ip. This 
fact is often used to give semantics of CTL* with respect to a computation tree 
of a Kripke structure instead of with respect to the Kripke structure itself. We 
say that CTL* is bisimulation closed. Note that not all temporal logics share this 
property. In particular, some quantified temporal logics that are used in this article 
(see Section 2.4) are not bisimulation closed. 

2.4 Quantified Temporal Logic 

Quantified Temporal Logic (QCTL*) extends the syntax of CTL* with universal 
(V) and existential (3) quantifiers over atomic propositions [Kupferman 1997]. For 
example, yx-EF{x ^ EF{-^x)) is a QCTL* formula. Here, we consider a fragment 
in which only a single occurrence of a quantifier is allowed, i.e., 

{<^,Va;-v5,3a;-(^ I e CTL*}. 

For simplicity, we still call this fragment QCTL*. 

There are several different definitions of semantics of QCTL* with respect to a 
Kripke structure; we consider three of these: structure [Kupferman 1997], tree [Kupfer- 
man 1997], and bisimulation which is introduced in [French 2001] under the name 
amorphous. 

Structure Semantics. Under structmc semantics [Kupferman 1997], each bound 
variable x is interpreted as a subset of the statespace. A univcirsally quantified 
formula Va; • <p is satisfied by K under this semantics if replacing :/; by an arbitrary 
set always results in a formula that is satisfied by K. 

Definition 2.10 Structure Semantics. [Kupferman 1997] Let Khea. Kripke struc- 
ture, and a CTL* formula. Structure semantics of QCTL*, written K |=s ip, is 
defined as follows: 

K ^."ix ■ <p = VY ^ S ■ K ^ ip[x <-Y] 
K \=s^x ■ <p> = 3Y ^ S ■ K ^ ^[x ^Y] . 

That is, a formula Va; ■ ip\x\ is satisfied by K under structure semantics if <p>[x\ is 
true in K under any interpretation of the atomic proposition x. 

An equivalent and more constructive definition can be given as well. Let K-^, 
pronounced "if minus a;" , denote the result of removing an atomic proposition x 
from K. Formally, 

= K with AP_^ =AP\ {x}. 
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Fig. 3. A Kripke structure M. and its x-variants: A^|i, jM|2, M.\zi and M.\i^. 
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Table I. Satisfaction of QTL formulas Va; • Pi, Va; ■ P2, and Va; • P3 on models C and M under 
different semantics of QTL. 

An x-variant of a Kripke structure K is a structure K' such that K'_^ is identical 
to K. For example, the set of all x- variants of C is shown in Figure 1. A formula 
Va; • (p[x] is satisfied by a Kripke structure K under structure semantics if and only 
if ip[x] is satisfied by every .x-variant of K. This follows immediately from the one- 
to-one correspondence between subsets of the statespace of K and labeling of x in 
an x-variant. 

We illustrate this semantics using the following formulas: 

Pi = AG{x AXx); 

P2 = AG{{AXx) V {AX^x)); 

Pa ^ A{{Xx) V {X^x)). 



£ |=s Vx ■ Pi since Pi is satisfied by all x- variants of C (see Figure 1), but M 

Vx • Pi since P2 is not satisfied by the .x-variant of (sec Figure 3). The 
results of evaluating the rest of the formulas on C and are summarized in the 
first three columns of Table I. 



Tree Semantics. Under the tree semantics [Kupferman 1997], QCTL* formulas 
are interpreted with respect to variants of a computation tree T{K) of a Kripke 
structure K. 



Definition 2.11 Tree Semantics. [Kupferman 1997] Let K he a, Kripke struc- 
ture, and ip a CTL* formula. Tree semantics of QCTL*, written K \=t is 
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defined as follows: 

K^TV = T{K) h V 
K \=T Vx • 95 = T{K) Vx • iy9 
K'^T^x-Lp = T{K) h,s ^x-Lp . 

That is, a formula Vx • ip[x\ is satisfied by K under tree semantics if and only 
if it is satisfied by every x-variant of the computation tree of K. For example, 
C V.T • Pi since P\ is not satisfied by an .t- variant r(£)|i of T(£) shown in 
Figure 2, and £ |=t Vx • Pi since every state in the tree unrolling T(£) of £ has 
exactly one successor. A few additional examples are given in the middle column of 
Tabic I. We note that QCTL* under structure and tree semantics is not bisimulation 
closed [Kupferman 1997]. 

Bisimulation Semantics. Prior to presenting bisimulation semantics, we need 
to introduce a notion of x-bisimulation. Let K and K' be two Kripke structures. 
The structure K' is x-bisimilar to K if and only if (a) the atomic propositions AP' 
of K' extend atomic propositions AP of K with a single atomic proposition x, i.e., 
AP' = AP U {x}, and (b) K' and K are bisimilar with respect to AP. That is, K' 
has exactly the same behaviors as K, except for the interpretation of an additional 
atomic proposition x. For a Kripke structinc K, we use Bx{K) to denote the set 
of all structures x-bisimilar to K. For example, the x- variant M.\i oi M is {x}- 
bisimilar to A^. A^|4 is also {x}-bisimilar to £. It is easy to observe that in general, 
the set Bx{K) includes all .x- variants of the structure K, every structure bisimilar 
to K, and every x- variant of a structure bisimilar to K. The above statement is 
included here just for clarity. 

We arc now ready to define bisimulation semantics. Under bisimulation seman- 
tics, QCTL* formulas are interpreted with respect to bisimulation variants of a 
Kripke structure. 

Definition 2.12 Bisimulation (Amorphous) Semantics. [French 2001] Let K be 
a Kripke structure, and a CTL* formula. Bisimulation semantics of QCTL*, 
written K |=b (p, is defined as follows: 

K\=byx-ip = yK' € Bx{K) -K' ^(fi 
K\=b3x-p^ 3K' e Bx{K) -K' ^(p. 

That is, a formula V.t • (p is satisfied by K under bisimulation semantics if and only 
if is satisfied by every x-bisimulation of K. For example, £ ^5 Vx • P2 since (a) 
A4 is bisimilar to £, (b) any x-variant of M is x-bisimilar to £, and (c) P2 is not 
satisfied by the x-variant A^|4 of 7V4 (see Figure 3). On the other hand, £ |=b Vx-Ps 
since P3 is a temporal logic tautology, i.e., it is true in any model. A few additional 
examples are given in the last column of Table I. 

Note that each semantics extends the range of the interpretation of the quanti- 
fiers. Thus, it is harder to satisfy a universal formula under bisimulation semantics 
than under tree or structure semantics. The following theorem formalizes the rela- 
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AT 

Fig. 4. Sample models Af, O, and V. 

tionship between all three QCTL* semantics, and is a corollary of a similar theorem 
proved by French [French 2001]. 

Theorem 2.13. Let \/x ■ be a QCTL'' formula, and K a Kripke structure. 
Then, the following is true 

{K \=b \/x-<fi)^ {K \=T yx-<fi)^ {K \=, \/x-ip). 

Furthermore, the implications are strict. 

Proof. The theorem follows from the fact that every tree unrolling of an x- 

variant of K is an a;-variant of T{K) and that a tree unrolling T{K) is bisimilar to 
K. Strictness of the first and the second implication is established by the examples 
in row 3 and row 1 of Table I, respectively. □ 

3. TOWARDS DEFINING VACUITY 

The first formal definition of vacuity is called propositional antecedent failure and 
was described by Bcatty and Bryant [Bcatty and Bryant 1994]. A formula of the 
form AG{p => q) suffers from antecedent failure on a model K if its antecedent 
p is not satisfiable in K. In particular, this means that the consequent (or the 
right-hand side) of the implication docs not effect the validity of the formula. 

Beer et al. [Beer et al. 2001] have generalized antecedent failure to arbitrary 
temporal formulas, calling the result temporal vacuity. Informally, if a formula ip 
contains a subforniula (,'' such that replacing tp by any other formula docs not affect 
the value of (f, then (f is vacuous in tp. Furthermore, [Beer et al. 2001] restricted 
vacuity to properties with a single occurrence of tjj. We call this definition structural 
vacuity and provide a formal definition below: 

Definition 3.1 Syntactic Vacuity. [Beer et al. 1997] A formula in a temporal 
logic L is syntactically vacuous in a subformula tp (assuming a single occurrence of 
tfj in (fi) in a model K iff 

When (f is vacuous in tp, we say ip is V-vacuous. A formula is vacuous if it is 
vacuous in any of its subformulas. According to Definition 3.1, non- vacuity of tp with 
respect to a subformula tp is witnessed by a formula (p' of the form ip' = ip[tp tp'] 
for some tp' G L such that K \= (p and K ^ tp'. For example, a non- vacuous 
satisfaction of AG{r AFa) with respect to AFa can be witnessed by falsification 
of AG(r^ false). 

Definition 3.1 provides a useful generalization of antecedent failure. However, 
when Armoni et al. [Armoni et al. 2003] attempted to generalize syntactic vacuity 
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further (they caUed it formula vacuity), to deal with multiple occurrences of subfor- 
mulas, they found that it has three major weaknesses: (1) it makes vacuity of too 
many formulas debatable, (2) it makes vaciiity sensitive to changes in the model 
that do not (or should not) affect the formula, and (3) it makes vacuity sensitive 
to the syntax of the temporal logic. We illustrate these weaknesses using several 
examples inspired by (or sometimes taken directly from) Armoni et al. [Armoni 
et al. 2003]. 

Weakness 1. Consider the property 

P4 = AG{{AXp) V {AX^p)) . 

which means "in every state, the next valuation oip is computed deterministically" , 
i.e., it is either true in all successors or false in all successors. This property can 
be vacuous in AXp or AX^p, since satisfaction of either disjunct is sufficient to 
satisfy the entire property. However, as we argue below, it should never be vacuous 
in p under any reasonable definition of vacuity. Our reasoning is as follows. Take 
any Kripke structure K. Every state of K has at least one successor, and the 
proposition p has some value in each successor of every state. Thus, the value of p 
directly influences the overall value of P4. Hence, P4 should not be vacuous in p, in 
any Kripke structure. However, according to syntactic vacuity from Definition 3.1, 
P4 is p- vacuous in model JC in Figure 1, since C satisfies P4, P4[p true], and 
P4\p -t- false]. This example shows that vacuity of some syntactically vacuous 
formulas is debatable, and thus syntactic vacuity is not sufficiently strong. 

Weakness 2. Consider again the property P4 defined above. We have already 
shown that it is syntactically vacuous in C Next, consider models Af, and parallel 
synchronous composition O = £||A/' of £ and TV, both shown in Figure 4. The 
composition does not affect any of the original properties that were satisfied by jC. 
However, it does affect the syntactic vacuity of P4: P4 is no longer syntactically 
p- vacuous in O. In particular, O satisfies P4 (just like £), but refutes 

P^\p ^q]= AG{{AXq) V {AX^q)) . 

Thus, composing £ with Af "fixes" syntactic vacuity of P4, even though Af has no 
influence on satisfaction of P4. This illustrates that syntactic vacuity is sensitive to 
"irrelevant" changes to the model. 

Weakness 3. Consider the property P5 = A{Xq XXq) and the model V in 
Figure 4. Assume that P5 is interpreted in LTL. Since V \= P^lq -^r- tp] for any LTL 
formula i/j, P5 is g-vacuous in V according to syntactic vacuity (see Definition 3.1). 

Let X^^ denote the past operator meaning "in the previous state". Formally, 
X^^p is satisfied by a suffix ttj of a path tt iff j > 0, and p is satisfied by the suffix 

Let LTL+P denote LTL extended with the past operator. Interpreted in LTL+P, 
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P5 is no longer syntactically g-vacuous! The witness to non- vacuity is 
P^[q ^ X-^p] = A{{XX-^p) ^ {XXX-^p)) 
= A{p =^ Xp), 

which is falsified by V. That is, syntactic vacuity of a formula can change by re- 
interpreting the formula in a temporal logic with more operators (without changing 
the formula itself), allowing us to conclude that syntactic vacuity is sensitive to the 
syntax of the logic with respect to which the formula is defined. 

In the rest of this section, we systematically develop a robust definition of vacu- 
ity of temporal logic. We explore several semantic definitions of vacuity starting 
with vacuity for propositional logic and ending with a new definition of vacuity for 
temporal logic. We argue that our definition is robust by showing that it is not 
affected by non-essential changes to the model, nor by the number of available log- 
ical operators. Note that unlike prior work [Beer et al. 2001; Armoni et al. 2003], 
we do not distinguish between vacuity with respect to a particular occurrence or 
several occurrences of a subformula. Instead, we present a uniform treatment of the 
definition of vacuity that would allow the user to make the distinction during use. 
While we base the treatment below on subformula vacuity, all of our results easily 
extend to vacuity with respect to arbitrary subsets of occurrences. Of course, when 
restricted to subformulas with a single occurrence, all of the definitions of vacuity 
used in this paper reduce to the original definition of Beer et al. [Beer et al. 2001] . 

3.1 Propositional Vacuity 

We start our exploration of vacuity with propositional logic. A model of a propo- 
sitional formula tp is just a boolean valuation of all atomic propositions of tp. The 
value of </3 in a model is a boolean value, either true or false. Thus, we can check the 
dependence of </? on a subformula tp by checking whether replacing tp by constants 
true and false affects the value of ip. This leads to the following formal definition of 
propositional vacuity. 

Definition 3.2 Propositional Vacuity. A propositional formula ip is vacuous in a 
subformula tp, or simply V'- vacuous, in a model K if and only if replacing ip by true 
and false does not affect the value of (p: 

{K \= ip[il) -tr- true]) {K \= ip[il) false]) . 

A propositional formula is vacuous if it is vacuous in some subformula tp. Alter- 
natively, vacuity of a propositional formula in a model K can be also expressed as 
validity of a quantified boolean formula in K; that is, <^ is satisfied V'- vacuously if 
and only if 

K \=\/x ■ iflip x], 
and if is falsified '^-vacuously if and only if 

K \=yx- -'ifl'ip x] . 

Propositional vacuity is robust for propositional formulas: vacuity of a formula 
is not affected by trivial changes to the model (such as extending the model with 
new atomic propositions), nor by the fragment of the propositional logic used to 
express (p. 
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One may conjecture that Definition 3.2 describes robust vacuity for temporal logic 
as well. However, this is not the case. For example, consider again the formula 

P4 = AG{{AXp) V {AX^p)) 

According to our intuition discussed as part of Weakness 1 earlier in this section, 
P4 should not be satisfied p-vacuously. Yet, in any model. 

P4[p<-true] = AG {{AX true) y {AX ^true)) = true, and 
P4[p^ false] = AG((AX false) V (AX ^false)) = true. 

Thus, by Definition 3.2, tp is p-vacuous. 

3.2 Structure Vacuity 

Proposition vacuity interprets a model as a mapping from every state of the model 
to boolean values true and false. This is a limitation when trying to extend this def- 
inition to temporal formulas: replacing a subformula only by the constants true and 
false is not sufficient for identifying whether the subformula is important. Following 
this observation, we extend the definition of vacuity to account for all subsets of 
the statespace S. The resulting definition, originally introduced in [Armoni et al. 
2003] under the name structure vacuity, is given below. 

Definition 3.3 Structure Vacuity. [Armoni et al. 2003] A temporal logic formula 
if is structure V'- vacuous in a model K if and only if either 

\/Y C S ■ K \= cp[il) 4^ Y] , or 

yYCS-K\= -n(p[i; ^ Y] , 
where S is the statespace of K. 

Alternatively, structure vacuity can be expressed as validity of a quantified temporal 
logic formula under structure semantics; that is, if is satisfied structure '^-vacuously 
if and only if 

ii" ]=s Va; • ip[ip ■(— x] , 
and (p is falsified structure ^-vacuously if and only if 

K \=s'^X ■ -^f[lp <r- X] . 

Definition 3.3 makes vacuity too dependent on a particular model of the system. 
This leads to undesired side-effects. For example, consider again the property 
P4 = AG{{AXp) V (AX^p)) and models C and M from Figure 1 and Figure 3, 
respectively. The two models are bisimilar and cannot be distinguished by any 
temporal logic formula. However, recall that according to Definition 3.3, P4 is p- 
vacuous in £, and yet it is not p- vacuous in M. Thus, structure vacuity is not 
robust for temporal logic. 

3.3 Bisimulation Vacuity 

The example in Section 3.2 illustrates that it is not sufficient to define vacuity with 
respect to a single particular model K. Instead, a robust definition of vacuity must 
also take into account any model that is behaviorally equivalent to K. For temporal 
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logic, two models are considered to be behaviorally equivalent if and only if they 
are bisimilar. This leads to the following, robust, definition of vacuity. 

Definition 3.4 Bisimulation Vacuity. A temporal logic formula <^ is fczsimttZaizon 
V"- vacuous in a Kripke structure K if and only if it is structure V'-vacuous both in 
K and in every structure bisimilar to K. That is, either 

\/K' e B(K) - yV C S' ■ K' \=ip[tp ^Y], or 

VK' e B{K) ■ vr C 5" • is:' ^ ^<f[^ ^ Y] , 
where S' denotes the statespace of K'. 

Alternatively, structure vacuity can be expressed as validity of a quantified temporal 
logic formula under bisimulation semantics; that is, (fi is satisfied bisimulation ^- 
vacuously if and only if 

K \^i,\fx ■ ip[ip x] , 
and if is falsified bisimulation ^/;-vacuo\isly if and only if 

K \=l,\/x ■ -^ifiltp <r- x] . 

That is, (flip •(— x] is either satisfied or violated in every model that is a;-bisimilar 
to K. For example, the property P4 is not bisimulation vacuous in either C 01 M. 

In the next section, we describe some of the key properties of bisimulation vacuity 
and argue that it provides a uniform definition of robust vacuity for both linear and 
branching time logics. 

3.4 Properties of Bisimulation Vacuity 

For CTL*, bisimulation vacuity is more strict than cither structure or syntactic 
vacuity, i.e., if a formula is vacuous w.r.t. bisimulation vacuity, then it is vacuous 
w.r.t. to structure and syntactic definitions of vacuity as well, but the converse is 
not true in general. 

Theorem 3.5. Let K be a Kripke structure, (p be an ACTL* form,ula, and ip be 
a subformula of (p. Then, if (p is bisimulation vacuous in ^ (in K) then (a) (p is 
structure vacuous in ip, and (b) (p is syntactically vacuous in tjj w.r.t. CTL*. 

Proof. Part (a) is a direct consequence of Theorem 2.13. 

To prove part (b), we show that for CTL*, structure vacuity implies syntactic 
vacuity. Let K = {AP, S, R, sq, I) be a Kripke structure. By Definition 3.1, ip is 
syntactically vacuous in ip iff for any CTL* formula tp' , K \= ip iS K \= (p[ip i/'']- 
Note that tjj' is a state formula. Let Y be the set of all states that satisfy t/j' . 
Formally, Y = {s e S\K, s \= ip'}. Then K \= ip[^ ^ iS K \= (p[iP ^ Y]. Thus, 
for CTL*, structure vacuity is more strict than syntactic vacuity: if (p is structure 
vacuous in ijj, then (p is syntactically vacuous in ip. □ 

In the rest of this section, we show that while bisimulation vacuity is not too 
strict, i.e., it does capture the "obvious" cases of vacuity, it is strict enough to be 
robust, i.e., it does not suffer from the three weaknesses identified in the beginning 
of this section. 

Temporal logic tautologies are the most obvious examples of vacuous formulas. 
We show that they are vacuous under bisimulation vacuity. 



16 • Arie Gurfinkel and Marsha Chechik 

Proposition 3.6. Let (p be a temporal logic formula with at least one atomic 
proposition, say p. If f is either valid or unsatisfiable, then it is bisimulation p- 
vacuous in any model. 

Proof. The theorem follows from the fact that validity is invariant under substi- 
tution of atomic propositions with fresh variables. That is, if ^p\p\ is a valid formula 
with a proper subformula p, and x is an atomic proposition that does not occur in 

then ip\p x] is valid as well. □ 

For example, consider the property 

Pe = {EXp) V {AX^p). 

Replacing p by a; in Pg yields 

P6[p a;] = {EXx) V {AX^x), 

which is a tautology. Hence, Vx • Pq[p ^ x] is satisfied by any model under any 
semantics of QCTL* from Section 2.4. Thus, property Pe is bisimulation p- vacuous 
in any model. 

Bisimulation vacuity is able to detect vacuity even if the formula itself is not a 
tautology, but contains a non-trivial tautology as a proper subformula. This follows 
from the proof of Proposition 3.6. 

Corollary 3.7. Let ip be a temporal logic formula, and ip be a proper non- 
constant subformula of (p with an atomic proposition p. If ip is either valid or 
unsatisfiable and ip does not contain p outside oftjj, then (p is p -bisimulation vacuous 
in any model. 

For example, consider the property 

Pt = AG{q A {{EXp) V {AX^p))). 

Since a tautology can always be replaced by a constant, P7 is equivalent to 

AG{q A {{EXp) V {AX^p))) 
= AG{q A true) 
= AG{q). 

Hence, P7 does not depend on p and is p-vacuous in any model. Note that since 

bisimulation vacuity is stricter than cither structure or syntactic vacuity, both 
Proposition 3.6 and Corollary 3.7 extend to structure and syntactic vacuity as 
well. 

Bisimulation vacuity is strict enough to exclude vacuity that can be "fixed" by 
non-essential changes to the model. In particular, it can distinguish between two 
models only if temporal logic can distinguish between them as well. Thus, two 
models that agree on all temporal logic formulas, also agree on their bisimulation 
vacuity. 

Proposition 3.8. Let (p be a temporal logic formula, ip be a subformula of (p, 
and K and K' be two bisimilar Kripke structures. Then, (p is ip-vacuous in K iff 
it is Ip-vacuous in K'. 
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Proof. The proof follows immediately from the definition of bisimulation vacu- 
ity. □ 

For example, the model £ in Figure 1 and the model M in Figure 3 are bisimilar. 
Thus, they agree on satisfaction and vacuity of all temporal logic formulas. In 
particular, property Pa (see Weakness 1) is not bisimulation p-vacuous in either 
model. 

An important consequence of Proposition 3.8 is that bisimulation vacuity is not 
affected by parallel synchronous composition. That is, if a formula is vacuous with 
respect to a component, then it is vacuous with respect to the whole system as well. 

Corollary 3.9. Let (p be a temporal logic formula, tp be a subformula ofip, and 
K and K' be two Kripke structures. If is bisimulation tp-vacuous in K, then it 
is bisim,ulation ip -vacuous in the parallel synchronous composition K\\K'. 

Proof. This follows from the fact that K and -fl'l l-^i"' are bisimilar with respect to 
atomic propositions of K. For K = (AP, S, R, sq, I) and K' = {AP', S', R', s'„, /'), 
let K\\K' = {AP U AP' ,S x S" , i? 1 1 , (sq , Sq ) , /| | ) be their parallel synchronous com- 
position (see Definition 2.2). Then, the relation 

p^{{s,{s,t))\seS,tGS'} 

is a bisimulation between K and K\\K'. □ 

For example, consider again the example given in Weakness 2. The formula P4 is 
not bisimulation vacuous in the model £ (Figure 1), and its vacuity status does not 
change when £ is composed with Af (Figure 4); nor does its vacuity status change 
when £ is composed with any other model that does not affect the satisfaction of 
Pi- 

In summary, we argue that bisimulation vacuity is robust and does not suffer 
from the three weaknesses described in the beginning of this section. Bisimulation 
vacuity is stricter than syntactic vacuity - it considers less formulas to be vacuous 
(Weakness 1). It is invariant under bisimulation and cannot be affected by changes 
of the model that are "irrelevant" to a property being checked (Weakness 2). Fi- 
nally, it is defined on the semantics of the temporal logic and, hence, is independent 
of the syntax (Weakness 3). At the same time, it agrees with syntactic vacuity (and 
other similar definitions) in all of the "obvious" cases of vacuity. 

4. COMPLEXITY OF VACUITY DETECTION 

In this section, we present algorithms for bisimulation vacuity detection and analyze 
their complexity. We show that in general, the complexity of bisimulation vacuity 
detection of a branching-time logic is the same as the complexity of the satisfiability 
problem for that logic. We then explore several practically important fragments 
of branching time logics. We show that the complexity of bisimulation vacuity 
detection for those fragments is in the same complexity class as model-checking. 
In the rest of the article, we use the terms "vacuity" or "robust vacuity" to mean 
"bisimulation vacuity" , unless stated otherwise. 
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4.1 Complexity of Detecting Bisimulation Vacuity 

We begin our study of complexity of detecting vacuity for branching time logics with 
an example. Let (p he a. temporal logic formula over a single atomic proposition 
p. That is, while there might be several occurrences of p in ip, no other atomic 
proposition is allowed. Now consider the problem of detecting vacuity of with 
respect to model jC from Figure 1. Note that every Kripkc structure with a single 
atomic proposition x is p-bisimilar to some Kripke structure in Bx{C)- Thus, 
is satisfied p- vacuously by £ iff <— x] is a tautology. Similarly, p is falsified 
p-vacuously by C iff ip\p x] is uiisatisfiable. Thus, the problems of validity and 
satisfiability of ip are reduced to detecting vacuity of p with respect to C. We use 
this example as an intuition for formulating and proving the general complexity 
result: 

Theorem 4.1. Deciding whether a formula ip is bisimulation ip-vacuous is EXPTIME- 
complete for CTL, and 2EXPTIME-complete for CTL*. 

Proof. To proof completeness, we need to show (1) membership and (2) hard- 
ness To show membership, we reduce bisimulation vacuity to model-checking quan- 
tified temporal logic under tree semantics. To show hardness, we reduce temporal 
logic satisfiability to bisimulation vacuity. 

Membership. Recall that detecting bisimulation vacuity is reducible to model- 
checking a quantified temporal logic formula under bisimulation semantics (sec 
Section 3.3). Here, we reduce model-checking under bisimulation semantics to 
model-checking under tree semantics, which was shown by Kupferman in [Kupfer- 
man 1997] to be in EXPTBffi for EQCTL and in 2EXPTIME for EQCTL*. 



Formally, let K = {AP, S, R, sq, I) be a Kripke structure, and to be a natural 
number. We define a Kripke structure K'^ to be the tuple 



Intuitively, if™ is the result of duplicating each successor of K m times. 

Let 3x • 1^ be an EQCTL formula. We show that K satisfies 3x ■ (p under bisim- 
ulation semantics iff K^f^ satisfies 3x ■ (p under tree semantics, i.e., 



The proof of the "if" direction is trivial since K'^ is bisimilar to K for any to. 

The proof of the "only if" direction uses the proof of the small model theorem 
for CTL (Theorem 6.14 in [Emerson 1990]). Assume that K 3x ■ ip. Then there 
exists a computation T such that (a) T is bisimilar to K, and (b) T satisfies (p 
with respect to structure semantics, i.e., T \=s ip. By the proof of the small model 
theorem for CTL (see proof of Theorem 6.14 in [Emerson 1990]), there exists a 
subtree T' of T such that 




K\=b 3x-ip^K\'^\ \=T3x-ip. 



(1) r 

(2) T' 



is bisimilar to K; 
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Fig. 5. A Kripkc structure U with atomic propositions p and q, and its encoding ez{U) using a 
single atomic proposition z. 



(3) the branching degree of T' is bounded by (Ik + |<^|, where (Ik is the branching 
degree of K. 



Let TI"^! be the computation tree oi K\'f\. Since K\'f\ is bisimilar to K, by 
transitivity, T'*^' is bisimilar to T' . Furthermore, the branching degree of tI-^i IS 
greater or equal to the branching degree of T'. Hence, T' is a subtree of tI*^!. 
Therefore, |=, if and ii'l*'! ^6 3a; • 

The proof for QCTL* is based on the equivalent Small Model Theorem for CTL* 
(Theorem 3.2 in [Emerson and Sistla 1984]) and is otherwise identical to the one 
above. 

Hardness for CTL. We have already shown that deciding satisfiability of a CTL 
formula with a single atomic proposition is reducible to detecting bisimulation vacu- 
ity. Now, we reduce satisfiability of CTL to satisfiability of a CTL formula restricted 
to a single atomic proposition. The idea is to encode the atomic propositions label- 
ing each state by a structure attached to that state. For example, consider a model 
U with atomic propositions p and q and its encoding, ez{U), that uses a single 
atomic proposition z (sec Figure 5). States ao and ai of ez{U) correspond to states 
So and Si of U, respectively. The structure rooted at bo encodes the labeling of the 
atomic propositions at sq: state bo is labeled with z to indicate that it is the root 
of the encoding structure; state cq is labeled with z to indicate that sq is labeled 
with p, and do is labeled with to indicate that sq is labeled with ^q. Similarly, 
the structure rooted at bi encodes the labeling of the atomic propositions at si . 

Formally, let K = {AP,S,R,So,I) be a Kripke structure, n = \AP\ denote the 
number of atomic propositions, and o : AP [0, n] be some enumeration of atomic 
propositions. Then Kripke structure ez{K) is the tuple 



{{z}, S X [0, (n + 1)], Rez, {so, 0), hz) , 



where ^; is a new atomic proposition not in AP, and the transition relation and the 



20 • Arie Gurfinkel and Marsha Chechik 



labeling function are defined as follows: 



{{S,i),{t,j)) GEez<^ 



{s,t)eR iii=j = 
true ii s = t A {j 

false otherwise 



i + lVi = j = n+l) 



'{^z} ifi = 

{z} if 3pGAP- o{p) 
{-1^;} otherwise 



{i -l)Ape I{s) 



Given a CTL formula with atomic propositions in AP, we replace each atomic 
proposition with a temporal logic formula over a new atomic proposition z. For 
example, the formula i?[true U A ^[false U q]] is translated into 



E[-^z U (EXz) A AX{z => AX^z) A 

{EG^z) A A[z il^z^ {{EXz) A AX{z AXAXz))]] . 



The translation increases the size of by a factor of \ip\ due to the extra AX 
operators. 

Formally, we define a function / such for any CTL formula tp^ the following 

conditions hold: (a) /(V') only contains one atomic proposition, z, and (b) f{ip) 
and tp are equisatisfiable. We define / by induction on the structure of ^, showing 
just the "interesting" cases (/ distributes over the operators in other cases). 



/(p) = (EXz) A AX{z => AX"''P^+^z) 
fi^p) = (EXz) A AX{z ^ AX"'-P^+^^z) 
fiEX^i)^EX{^zAf{iPi)) 
f{AX^i) 4 EX{^z) A AX{^z ^ /(^i)) 
U V2]) = E[-.z A /(V^i) U^zA /(V2)] 
U i>2]) = EG{-^z) A A[-^z ^ f{iPr) U^z^ f{i,2)] 
f{E[i,, U V2]) = E[-.z A /(Vi) U^zA /(V2)] 

U V'2]) = EG{-.z) A AI-.Z ^ /(^i) U^z^ /(V2)] 



Since model K satisfies a property tp, ez{K) satisfies f{ip). 

For the other direction, let M = {{z}, Sm, Rm, , Im) be a model for /(V')- Let 
Sk be the smallest subset of Sm that satisfies the following two conditions: 



{s^} e Sk, and 
Vs e • {t G 5m I lM{t) = {-^z} A (s, t)eRM}<^SK. 



That is, Sk includes the initial states and all states labeled with -iz that are 
reachable from the initial state by other states labeled with -10. 
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Let K = {AP,Sk,Rk,s^,Ik), where 

{s,t) G Rk <^ {s,t) e Rm 

M G Ik{s) ^M,s^ AX{z 

{-p} e iKis) ^M,s\= AX{z AX"^P'>+'^^z). 

Then ii' is a model for ip: K \= xp. Note that universal path quantifiers in the 
encoding of propositions (i.e., /(p) and J{-^p) given above) ensure that the labeling 
Ik is consistent (i.e., no state is labeled with both p and -^p). The existential path 
quantifiers in this encoding ensure that the transition relation of K is total. 

Since CTL satisfiability has been shown to be EXPTIME-hard [Fischer and Lad- 
ner 1979], this gives us the desired result. 

Hardness for CTL*. As in the proof of hardness for CTL, we reduce satisfiability 
of CTL* to satisfiability of a CTL* formula restricted to a single atomic proposition. 
For the models, we use the same encoding as for CTL. 

To translate formulas, we define a function g such for any CTL* formula ip, the 
following conditions hold: (a) g{ip) contains only one atomic proposition, z, and 
(b) g{tji) and if) are equisatisfiable. We define g by induction on the structure of ^, 
again showing just the "interesting" cases. 

g{p) = {EXz) A AX{z X"^p'^+'^z) 

g{-^p) = {EXz) A AX{z X°^p^+^^z) 

g{Ei,i)^E{{G^z)Agii,^)) 

5(A^i) ^ {EG^z) A A{{G^z) ^ 5(^1)) 

The rest of the proof proceeds the same way as for CTL. This establishes hardness in 
2EXPTIME since CTL* satisfiability has been shown to be 2EXPTIME-hard [Vardi 

and Stockmeyer 1985]. □ 

Theorem 4.1 suggests that bisimulation vacuity detection for CTL* and even 
for CTL is not computationally tractable. However, we show that there are several 
important fragments of CTL* for which vacuity detection is in the same complexity 
class as model-checking, and thus is tractable. We study these in the rest of this 
section, starting with monotone formulas and continuing with ACTL* and ECTL* . 

4.2 Vacuity and Monotone Formulas 

In this section, we study the problem of vacuity detection for monotone formulas. 
We make two contributions. First, we show that vacuity detection for monotone 
formulas is reducible to model-checking. Our algorithm is a natural extension of 
the vacuity detection algorithms of Beer et al. [Beer et al. 2001] and Kupferman 
and Vardi [Kupferman and Vardi 1999]. Second, we show that detecting whether a 
formula expressed in a given temporal logic is monotone is as hard as deciding the 
satisfiability problem for this logic. This means that simple monotonicity checks, 
such as restricting vacuity to a single occurrence as in [Beer et al. 2001], or relying 
on polarity of occurrences, as in [Armoni et al. 2003] , can not be cheaply extended 
to the full temporal logic. 

Definition 4.2 Monotone Formula. A formula (p is monotonically increasing in 
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1: requires: f is monotone in tp 

2: boolean isMonVacuous (Formula ip, Formula ^, Model K) 

3: return K \= ip[ip ^ true] <^^> A" |= ^ false] 

Fig. 6. Vacuity detection algorithm for monotone formulas. 

a subformula tjj if whenever (x y) is valid, so is {(pltp ^ x] =^ ip[ijj ^ y]). It 
is monotonically decreasing in tp if whenever (x y) is valid, so is (</?['0 <— a^] ^ 
(^[V) 2/]). We say that is monotone in ^ if it is either monotonically increasing 
or monotonically decreasing in ^. 

For example, the formula AG{p =^ AFq) is monotonically decreasing in p and is 
monotonically increasing in q; the formula AG{p A —ip) is monotone in p, and the 
formula AG{p A q)) is not monotone in p. 

The algorithm for detecting vacuity with respect to monotone subformulas, called 
isMonVacuous, is given in Figure 6. Detecting vacuity of (p with respect to a 
monotone subformula ijj can be reduced to comparing the results of two model- 
checking problems: the one in which -0 is replaced with true, and another in which 
ip is replaced with false. The algorithm is based on the following intuition. For a 
fixed model K, iplip] can be seen as a monotone function from temporal logic to 
{true, false} defined as follows: Xx ■ K \^ ipltp ^ x]. The formula ip is vacuous in 
ip if the above function is a constant (i.e., always true or always false). Since the 
function is monotone, it is a constant if and only if it assigns the same value to the 
extreme points: true and false. The correctness of the algorithm is established by 
the following theorem. 

Theorem 4.3. Let ip be a temporal logic formula monotone in a subformula ip, 
and K be a Kripke structure. Then isMonVacuous(y, ip, K) returns true if and only 
if p is bisimulation vacuous in ip. 

Proof. Wc first establish the (^) direction. Assume (p is bisimulation vacuous 
in Ip, and without loss of generality, assume that (p is satisfied by K. From Defini- 
tion 3.4, it follows that (p holds under any interpretation of ip, i.e., K \=b yx-(p[ip 
x]. Finally, by specialization, K |= ip[ijj <— true] A K \^ (p[ip <— false]. 

For the (=^>) direction, we use the fact that bisimilar structures satisfy the same 
temporal properties. Formally, for a formula (p with a subformula ip and a Kripke 
structure K, 

VK' e B{K) ■yc€2-{K \=ip[ip ^ c]) <^ {K' \= ip[ip ^ c]) (constant subst) 

Furthermore, without loss of generality, we assume that (p is satisfied by K, i.e., 

{K \= (p[ip true]) A (i^ ^ tp[ip false]) . 

The proof proceeds as follows: 

{K 1= p[ip true]) A {K \= (p[ip <— false]) (by constant subst) 

^ \/K' G B{K) ■ {K' \= (p[ip ^ true]) A {K' |= ip[ip ^ false]) (by monotonicity) 

= \/K' e BiK) • VF C S" • if ' 1= ip[ip ^ Y] (by Definition 2.12) 
= K \=b\/x- ip[ip x] 

Hence, by the discussion following Definition 3.4, (p is bisimulation vacuous in ip. □ 
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From the algorithm isMonVacuous and the proof of its correctness, we see that 
the complexity of detecting vacuity of monotone formulas is the same as that for 
model-checking: 

Corollary 4.4. Deciding whether a temporal logic formula (p is vacuous in a 
monotone subformula ip is the same complexity as that of model- checking (p. 

Note that by itself, the algorithm isMonVacuous is incomplete since it requires 
a user to identify monotonicity of a subformula. However, in combination with a 
technique to decide whether a subformula is monotone, the algorithm leads to a 
practical and efficient vacuity detection technique. 

There are several simple syntactic checks to identify monotone subformulas. For 
example, if has only a single occurrence in then ip is monotone in ip, e.g., 
AG{p y qy r) is monotone in q. Similarly, if ip is pure in ip (i.e., all occurrences are 
either positive, like p above, or negative), then is monotone in ij}. 

These simple syntactic checks have already been used in the early work on vacuity 
detection by Beer et al. [Beer et al. 2001] and by Kupferman and Vardi [Kupferman 
and Vardi 2003]. The algorithms presented in these papers are equivalent to the 
algorithm isMonVacuous, but only apply to formulas whose monotonicity can be 
detected syntactically. We thus conclude the following: 

Theorem 4.5. All three types of vacuity - syntactic, structure, and bisimulation 
- coincide for monotone formulas. 

In particular, formulas with a single occurrence of a subformula of interest, or 
formulas with pure polarity arc (syntactically) monotone. Thus, by Theorem 4.5, 
the three definitions of vacuity coincide for such formulas and so do the algorithms 
isMonVacuous and those reported in [Beer et al. 2001] and [Kupferman and Vardi 
2003]. 

It is also interesting to see whether the scope of these simple syntactic checks for 
monotonicity can be significantly extended. We show that this is not possible in 
general due to the E'XPT/ME-hardness of this problem. 

Theorem 4.6. Deciding whether a formula p is m,onotone in a subformula ijj is 
EXPTIME-hard for CTL, and 2EXPTIME-hard for CTL* . 

Proof. We reduce the vahdity problem for CTL, known to be EXPTIME- 
hard [Fischer and Ladner 1979], to deciding monotonicity. Let tp be an arbitrary 
CTL formula, and p be an atomic proposition not occurring in p. Then the formula 
tjj = {p AXp) y ip is monotone in p iff is valid. In general, is not monotone 
in p. However, if p is valid, then tp is valid as well; hence, it is monotone in all of 
its atomic propositions. 

The proof for CTL* is identical. Note that the validity problem for CTL* is 
known to be 2EXPTIME-hard [Vardi and Stockmeyer 1985]. □ 

Thus, identifying whether a given formula is monotone is as difficult as vacu- 
ity detection in general. It is unlikely that the applicability of the algorithm 
isMonVacuous can be generalized past syntactically monotone formulas. 

In this section, we have studied vacuity detection for monotone formulas and gave 
an efficient algorithm for it. For such formulas, bisimulation vacuity coincides with 
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syntactic vacuity. While our algorithm applies to arbitrary nionotone formulas, we 
have shown that determining whether a given property is monotone is as hard as 
the general vacuity detection. However, for syntactically monotone formulas, such 
as those with a single occurrence of a subformula of interest, or formulas with pure 
polarity, our algorithm becomes identical to [Beer et al. 2001; Kupferman and Vardi 
2003]. 

4.3 Deciding Vacuous Satisfaction of ACTL* Formulas 

In this section, we present an algorithm for detecting whether an ACTL* formula 
is satisfied vacuously. Specifically, given an ACTL* formula a Kripke structure 
K which is known to satisfy ip, and a subformula tp of our goal is to decide 
whether ip is bisimulation vacuous in We show that this problem is in the same 
complexity class as model-checking. This is significant in practice since properties 
are often expressed in ACTL* or in its linear fragment, LTL. By duality, the results 
of this section extend to deciding vacuous falsification of ECTL* formulas. 

Recall that deciding whether Lp is satisfied vacuously is equivalent to model- 
checking Vx • ip{xl} x] in K under bisimulation semantics. This, in turn, is equiv- 
alent to checking that ip[^ x] is satisfied in every model that is x-bisimilar to 
K. 

Our algorithm for detecting vacuous satisfaction of ACTL* formulas is based on 
the idea that for ACTL* formulas, vacuity detection can be reduced to a single 
model-checking instance. The algorithm, called isSATVacuous, is shown in Fig- 
ure 8(a). In the rest of this section, we first illustrate the algorithm on an example, 
and then formally establish its correctness and complexity. 

As an example, we consider the problem of detecting whether an ACTL* formula 
is satisfied vacuously in a model V given in Figure 4. We show that this problem 
is reducible to a single model-checking problem with respect to a model Q given in 
Figure 7. The model Q is obtained from V by the following steps: (a) adding a new 
atomic proposition x] (b) splitting each state of V into two states, one interpreting 
X as true and another interpreting x as false; and (c) adding a transition between 
any two states if there is a transition between the corresponding states of V. For 
example, states do and d2 of Q correspond to splitting state Cq of V; the transition 
between ^2 and dx in Q corresponds to the transition between cq and ci in P; 
and there is no transition between do and ^2 in Q since there is no corresponding 
self- loop on co in 7^. 

It is easy to see that Q is x-bisimilar ioV: Q differs from V only in its interpreta- 
tion of the new variable x, but otherwise has all of the same behaviors. Furthermore, 
Q does not enforce any temporal constraints on x - from any state, x can evolve to 
either true or false. Thus, Q can simulate (i.e., match the behavior of) any Kripke 
structure that is a;-bisimilar to V. For example, do can simulate any state that is 
x-bisimilar to cq, and d2 can simulate any state that is x-bisimilar to ci. Recall that 
simulation preserves satisfaction of ACTL* formulas (Theorem 2.7). Thus, since Q 
simulates every structure that is x-bisimilar to V, it satisfies an ACTL* formula if 
and only if the formula is satisfied by every structure x-bisimilar to V. This reduces 
model-checking a formula (fi[ip -(^ x] on all structures that are x-bisimilar to "P to a 
single model-checking problem on Q! Hence, checking whether (p is ^/j-vacuous on 
V is equivalent to model-checking (^[^ x] on Q. 
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Fig. 7. A model Q used in the reduction of VcLCuity detection for the model V from Figure 4 to 
model-checking. 



1: requires: ip is an ACTL* formula satisfied by K 

2: boolean isSATVacuous (Formula Formula V", Model ii") 

3: K' = {K\\X) 

4: return K' \= ip[tl> -f— x\ 



(a) 



X 



(b) 



Fig. 8. (a) An algorithm for detecting vacuous satisfa<;tion of ACTL* formulas, and (b) Kripke 
structure X used by the algorithm. 



While Q has twice as many states as V, both structures share the same symbolic 
representation of the transition relation, represented by the formula 

{p A^q A ^p' A q') V (-ip A q A ^p' A q'). 

This means that for a symbolic model-checking algorithm, checking Q and a seem- 
ingly smaller model V is equally easy (or equally hard). 

We now return to the algorithm isSATVacuous. This algorithm uses a Kripke 
structure X shown in Figure 8(b) and defined as A" = [AP-^ , S-^ , , R-^ , I-^), with 
a single atomic proposition x {AP'^ = {x}), two states (S""^ = {0,1}), all states 
being initial {Sq = S'^), any transition being allowed (i?''' = 5"^ x 5"^), and x 
being interpreted as /"^(O, x) = false and I'^{l,x) = true. 

The correctness of the algorithm is based on the observation that for any Kripke 
structure K, the parallel synchronous composition K \ \ X oi K and X (assuming 
that a; is a fresh variable for K) simulates any structure K' that is x-bisimilar to 
K. 

Theorem 4.7. Let K = {AP,S,R,So,T) be an arbitrary Kripke structure, and 
K' = {AP U {x},S',R',SQ,r) be {x}-bisimilar to K. Then K' is simulated by 
K\\X. 
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Proof. By Definition 2.2, the Kripke structure if || A" is 

{AP U {x}, S X {0, 1}, X {0, 1}, R^, r), 
where R^{{s,i), (t,j)) <^i?(s,t), and 



/-((a,i),p)=|j; 




Let p C 5 X S" be the {x}-bisimulation relation between K and K'. We claim 
that K \ \ X simulates K' via the relation 



From the definition of , it follows immediately that p'^{{s,i),t) <^ {I'^{{s,i)) = 
I{t)), thus, it satisfies the first condition of simulation. The proof of the second 
condition is given below: 



3s' e S ■ p{s',t') AR{s,s') 
=>■ (by definition of JsT 1 1 

3s' eS- Vj G {0, 1} • R-i{s, i), {s', j)) A Pis', t') 
=> (since r{t',x) G 2) 

3s' gS- 3j G {0, 1} • R-iis, i), {s',j)) A Pis', t') A /-((s', j)) = J'(t') 



Finally, if t is an initial state of K' , then there exists an i G {0,1} such that 
p^i{s,i),t) holds, which establishes that ii' || simulates K' via p^. □ 

Since simulation preserves ACTL*, vacuity detection for an arbitrary ACTL* 
formula is reducible to model-checking over ii" || A". This proves correctness of 
isSATVacuous. 

Proposition 4.8. Let (p be an ACTL* formula with a subformula ip, K be a 
Kripke structure, and assume that K satisfies ip. Then isSATVacuous((^, V', 
returns true if and only if ip is bisimulation vacuous in ^. 

Proof. Let be a formula satisfied by K. We show that <^ is V'-vacuous iff the 
formula (^["0 ^ x\ is satisfied by if || A". 

Since iiT 1 1 A" is {x}-bisimilar to K, the proof of (=>) direction is trivial. 

For i<=) direction, if (^[t/j ^ x] holds in K\\X, then by Theorem 4.7 and Theo- 
rem 2.9 it holds in every {x}-bisimulation of K. □ 

An immediate consequence of Proposition 4.8 is that for the LTL fragment of 
ACTL* , our bisimulation vacuity is equivalent to trace vacuity of Armoni et al [Ar- 
moni et al. 2003]. That is, for any fixed model K, an LTL formula if is trace 
vacuous in ij} if and only if it is bisimulation vacuous in ij). We further elaborate on 
this connection between the two definitions in Section 6. 

From the algorithm isSATVacuous and the proof of its correctness, it is easy to 
see that the complexity of detecting vacuous satisfaction of ACTL* formulas is in 
the same complexity class as model-checking: 



p- = {((s, i),t)\ Pis, t) A rUs, i),x)= I' it, x)}. 



p-i{s,i),t)AR'it,t') 
=^ (since K' is {x}-bisimilar to K) 
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Corollary 4.9. Let ip be an ACTL* formula, tp he a subformula of (p, and K 
be a Kripke structure. Deciding whether K satisfies tl)-vacuously is in the same 
complexity class as model- checking ip. 

As mentioned earlier, while the explicit statespace of ii" 1 1 A* is twice of that of K, 
K \ \X does not impose any restrictions on the atomic proposition x; therefore, the 
symbolic representation of its transition relation is identical to that of K. 

In this section, we described an algorithm, isSATVacuous, for detecting whether 
an ACTL* formula is satisfied vacuously. We proved correctness of this algorithm 
and showed that checking whether an ACTL* formula ip is vacuous in some sub- 
formula is no more expensive than model-checking (p. 

4.4 Deciding Vacuous Satisfaction of CTL* in Universal Subformulas 

In the rest of this section, wc show that the algorithm isSATVacuous can be used 
not only for detecting vacuous satisfaction of ACTL* formulas but also for detecting 
vacuous satisfaction of CTL* formulas with respect to universal subformulas. That 
is, under the assumption that a subformula ijj occurs only under universal path 
quantifiers in the negation normal form of (p, isSATVacuous((/?, ^, if) returns true 
if and only if ip is satisfied vacuously in ^p. 

Given a fixed model K, the structure of a temporal formula (p can be simplified 
by replacing state subformulas with propositional expressions without affecting the 
satisfiability of p. For example, consider the model O in Figure 4(b) and the prop- 
erty AFEGp. For this model, formula EGp can be simplified to p, and formula 
AFEGp — to AFp. We use the notation Prop{p>, K) to denote some such propo- 
sitional simplification of ip with respect to a model K. Formally, Prop{(p, K) is a 
formula obtained by replacing some state subformula tp of (p with a propositional 
encoding of the set WtpW^ of all the states of K that satisfy tp- 

Propositional simplification does not affect satisfaction. That is, a structure K 
satisfies ip if and only if it satisfies a propositional simplification of ip: 

K \= (p <^ K \= Prop{(p, K) (propositional simplification) 

Moreover, this property is preserved by bisimulation - \i K and K' are bisimi- 
lar, then ip can be simplified with respect to either model without affecting its 
satisfaction on both models. That is, K' satisfies ip if and only if it satisfies any 
propositional simplification of ip with respect to a bisimilar model K. 

Theorem 4.10. Let K and K' be two structures such that K is x-bisimilar to 
K' via a relation p, and let p> he a CTL* formula not containing x. Then K' 
satisfies ip iff it satisfies a propositional simplification of p) with respect to K: 

K' \=(p4^K' ^ Prop{p, K) . 

Proof. Let S and S' denote the statespaces and sq and s'q denote the initial 
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(definition of |=) 
(property of p) 
(propositional simplification) 



= 3s ^ S • K, s \= Prop(ip, K) A (s, Sg) G P (property of p) 
= K', s'q \= Prop{ip, K) (definition of |=) 

= K'\= Prop{ip, K) 

□ 

We now use Theorem 4.10 to establish the main theorem of this section. We 
show that for any fixed model, a CTL* formula with a universal subformula ij) can 
be turned into an ACTL* formula without affecting the ^-vacuity of the formula. 

Theorem 4.11. Let (p be a CTL* formula with a universal subformula ijj, and 
K be a Kripke structure. Assume that K satisfies ^p. Then isSATVacuous((/5, ^, 
returns true if and only if ip is bisimulation vacuous in ip. 

Proof. Let X he a. Kripke structure as depicted in Figure 8(b). We show that 
for a Kripke structiuc K, i^[\p x] is satisfied by K\\X iff ip is vacuous in tj). 
The "if" direction is trivial. 

For the "only if" direction, assume that K\\X satisfies a;] . Let Prop(</5[^/' ^ 

x\,K) be the result of replacing all existential state subformulas of ip[xp x] with 
their propositional simplification in K. Since V occurs only in the scope of uni- 
versal quantifiers, these subformulas do not contain x and can be interpreted on 
K. By Theorem 4.10, K\\X satisfies Prap{ip[^ x\,K). Since V is univer- 
sal, Prop{(p[tp x],K) is in ACTL*. Applying Theorem 4.7 and then Theo- 
rem 2.7, we get that every Kripke structure K' that is a;-bisimilar to K satisfies 
Prop{(f[ilj <— x],K). By Theorem 4.10, K' satisfies ip[ijj x] as well. Hence, by 
Definition 3.4, ip is bisimulation vacuous in ip. □ 

Theorem 4.11 implies that detecting whether an arbitrary CTL* formula is sat- 
isfied vacuously in a universal subformula is in the same complexity class as model- 
checking: 

Corollary 4.12. Let ip be a CTL* formula, ip be a universal subformula of ip, 
and K be a Kripke structure. Deciding whether K satisfies (p ip -vacuously is in the 
same complexity class as model- checking ip. 

In this section, we have shown that the algorithm isSATVacuous is applicable 

not only to ACTL* formulas, but also to detecting vacuous satisfaction of arbitrary 
CTL* formulas in universal subformulas. We have also shown that vacuity detection 
for this more general case remains in the same complexity class as model-checking. 

5. VACUITY AND ABSTRACTION 

The statespace explosion problem, i.e., the fact that the size of a model doubles 
with an addition of each new atomic proposition, is one of the major challenges 
in practical applications of model checking. Abstraction is the most popular and 
most effective technique to combat this problem. In this section, we explore the 
interactions between vacuity detection and abstraction. 
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5.1 Abstraction 

The key principle of abstraction is to replace model checking of a given property 
on a concrete model Kc with model checking of the property on an abstract model 
Ka- The abstract model is typically chosen such that it is smaller and/or easier 
to represent symbolically than Kc- 

Here, we consider the two most commonly used abstractions. In a hisimulation- 
based abstraction, the abstract model Ka is required to be bisimilar to the concrete 
model Kc- Cone of influence [Clarke et al. 1999] and symmetry reduction [Clarke 
et al. 1998; Wei et al. 2005] arc two prominent examples of bisimulation-based ab- 
straction. This abstraction is sound and complete for CTL*. That is, if a given 
property is satisfied or refuted by the abstract model, then it is, respectively, sat- 
isfied or refuted by the concrete one as well. 

In a simulation-based abstraction, the abstract model Ka is required to simulate 
the concrete model Kc- This is the most commonly used abstraction technique for 
hardware and software model checking, e.g., [Graf and Saidi 1997; Ball ct al. 2001]. 
Simulation-based abstraction is sound (but incomplete) for ACTL*. That is, the 
abstract model over-approximates the behaviors of the concrete one. Thus, if an 
ACTL* property is satisfied by Ka, it is satisfied by Kc, but the converse is not 
true in general. 

5.2 Vacuity Detection in the Presence of Abstraction 

In this section, we explore the preservation of vacuity for bisimulation- and simulation- 
based abstractions. Clearly, bisimulation-based abstraction is sound and complete 
for vacuity of CTL*. 

Proposition 5.1. LetKa andKc be Kripke structures such that K a is a bisimulation- 
based abstraction of Kc, and let Lp be a CTL* formula with a subformula ip. Then, 

if is ip-vacuous in Ka iff ip -vacuous in Kc- 

Proof. By definition of bisimulation-based abstraction, Ka and Kc are bisimi- 
lar. By Proposition 3.8, bisimulation vacuity is invariant under bisimulation. □ 

Note that bisimulation-based abstraction is not sound with respect to alterna- 
tive definitions of vacuity! An example in Section 3 (Weakness 2) shows that the 
abstraction is not sound with respect to syntactic vacuity: the model O can be 
viewed as an abstraction of a concrete model jC. Then, property P4 is vacuous in 
the concrete model, but is non-vacuous in the abstract, i.e., abstraction has masked 
vacuity. An example in Section 3.2 illustrates a similar situation for structure vacu- 
ity: the model jC can be viewed as concrete and the model ^A as abstract. Property 
Pi is vacuous in the concrete model and non- vacuous in the abstract. 

We now turn our attention to simulation-based abstraction. Recall that this 
abstraction is only sound for ACTL* and thus we can only expect it to be sound 
for vacuity of ACTL* properties. Furthermore, this abstraction is not complete and 
thus we do not expect it to be complete for vacuity cither. We show that below. 

Theorem 5.2. Let Ka and Kc be two Kripke structures such that Ka simulates 
Kc, and let ip be an ACTL* formula with a subformula ip. Then, whenever is 
Ip-vacuous in Ka, it is ip-vacuous in Kc- 
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Fig. 9. A concrete Kripke structure V and its existential abstraction Va- 

Proof. By Proposition 4.8, ip is i/;- vacuous in Ka iff {Ka 1 1 X) \= Lp\%lj x] , where 
X is the Kripke structure shown in Figure 8(b). Ka simulates Kc and thus Ka \ \ X 
simulates Kc\\X as well. Since simulation preserves ACTL*, i^c || ^ \= '■p[i^ x\. 
By Proposition 4.8, ip is ^-vacuous in Kc- □ 

Soundness of simulation-based abstraction with respect to vacuity of ACTL* is 
a trivial corollary of Theorem 5.2: 

Corollary 5.3. Let Ka and Kc be Kripke structures such that Ka is a simulation- 
based abstraction of Kc, and let ip be a ACTL* formula with a subformula ip. Then, 
whenever (fi is tp-vacuous in Ka, it is tp-vacuous in Kc- 

The converse of Theorem 5.2 is not true. As a counterexample, consider two 
structures, V and Va, shown in Figure 8 and a property 

Ps = AG{p ^ AXq) . 

While Ps is satisfied vacuously in V, it is non- vacuous in Va- Thus, vacuity of a 
formula might be "hidden" by abstraction. 

Note that simulation-based vacuity is not sound with respect to syntactic and 
structural definitions of vacuity. Same examples as used for bisimulation vacuity 
above apply here as well since the property P4 is in ACTL*. 

In summary, we showed that bisimulation vacuity interacts well with two most 
common abstraction techniques. Bisimulation-based abstraction is sound and com- 
plete for CTL* and is also sound and complete for vacuity. On the other hand, 
simulation-based abstraction is sound (but incomplete) for ACTL* and is only 
sound (but incomplete) for bisimulation vacuity. Moreover, neither of the abstrac- 
tions is sound with respect to syntactic or structure vacuity. 

Combining vacuity and abstractions other than simulation-based and bisimulation- 
based (such as the mixed-simulation-based abstraction of Dams et al. [Dams et al. 
1997] which we studied in conjunction with vacuity in [Gurfinkel and Chechik 
2004b]) would require similar reasoning as described in this section but is beyond 
the scope of this paper. 

6. RELATED WORK 

In this section, we survey related work. We begin by a general overview of vacuity 
research that is based on the (modifications of) the original syntactic vacuity of Beer 
et al. [Beer et al. 1997]. We then give an in-depth comparison between bisimulation 
vacuity and trace vacuity of Armoni et al. [Armoni et al. 2003]. We conclude this 
section by a discussion of other sanity checks to complement model-checking. 
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Syntactic Vacuity. The majority of the work on vacuity is based on the definition 
of syntactic vacuity (see Definition 3.1) of Beer et al. [Beer et al. 1997]. This 
definition and the corresponding vaciiity detection algorithm have been extended 
and adapted to a variety of property languages: to CTL* in [Kupferman and Vardi 
1999] , to the modal /u-calculus in [Dong et al. 2002] , to temporal logic with regular 
expressions in [Bustan et al. 2005], and to the logic of symbolic trajectory evaluation 
in [Tzoref and Grumberg 2006] . 

The notion of syntactic vacuity has been extended in a variety of ways. Gurfinkel 
and Chechik [Gurfinkel and Chechik 2004b] and Chockler and Strichman [Chockler 
and Strichman 2007; 2009] have studied mutual vacuity that considers vacuity in 
several subformulas simultaneously. Dong et al. [Dong et al. 2002] and indepen- 
dently Samer and Veith [Samer and Vcith 2004] have explored a notion of vacuity 
in which a weaker formula (such as AFp) can be replaced by a stronger one (such 
as AXp). Chockler and Strichman [Chockler and Strichman 2007; 2009] have also 
explored vacuity between multiple properties, independently of a model. 

Several modifications to the naive vacuity detection algorithms of Beer et al. [Beer 
et al. 1997] and Kupferman and Vardi [Kupferman and Vardi 1999] have been 
proposed. Purandare and Somenzi [Purandare and Somenzi 2002] use the parse 
tree of temporal formula to enable information sharing between vacuity detecting 
passes of a symbolic model-checker. Gurfinkel and Chechik [Gurfinkel and Chechik 
2004b] give an algorithm, based on multi-valued model-checking, that detects all 
instances of vacuity of a formula in a single pass. Simmonds et al. [Simmonds et al. 
2010] use resolution proofs to speed up vacuity detection for bounded SAT-based 
model-checking. 

Semantic Vacuity. We were inspired by the work of Armoni et al. [Armoni et al. 

2003] . In [Armoni et al. 2003] , the authors show many anomalies of the syntactic 
approach to vacuity, and informally argue for a set of robustness criteria. They 
present a semantic definition of vacuity for LTL, called trace vacuity, and develop 
an algorithm for detecting it. In this article, we build on this work by formalizing 
the criteria for robust vacuity using bisimulation, and by extending semantic vacuity 
to branching-time logic. 

In what follows, we give an in-depth comparison between bisimulation vacuity 
that is introduced in this article and trace vacuity of Armoni et al. We give a 
formal definition of trace vacuity and its trivial extension to CTL* and show that 
this extension is not robust. We then show that bisimulation vacuity is a proper 
extension of trace vacuity by proving that they coincide for LTL properties. Finally, 
we compare the algorithms for detecting trace vacuity for LTL and bisimulation 
vacuity for ACTL*. 

Originally, trace vacuity was defined using tree semantics of QTL, making it 
directly applicable to CTL* . A formal definition is given below: 

Definition 6.1. [Armoni et al. 2003] A temporal logic formula ip is trace ip- 
vacuous in a Kripke structure K if and only if K \=t Va; • (/?[f/' ^ x]. 

However, the following example illustrates that trace vacuity is not robust for 
branching temporal logic. Consider the property {AXp V AX^p). It is trace p- 
vacuous in the model C in Figure 1 and not trace p-vacuous in the model A4 
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in Figure 3. Recall that these two models are bisimilar and thus should behave 
identically with respect to vacuity. Thus, trace vacuity is not robust: when applied 
to branching time properties, it becomes sensitive to irrelevant changes to the model 
(i.e., it suffers from "Weakness 2" as described in Section 3). 

Bisimulation vacuity is a proper extension of trace vacuity: i.e., trace and bisim- 
ulation vacuity coincide for LTL. Formally, if an LTL formula is trace vacuous 
with respect to a structure K, then </? is bisimulation vacuous w.r.t. K as well, and 
vice versa. 

Theorem 6.2. Let tp be a path formula (i.e., expressed in LTL), a,nd x be an 
atomic proposition occurring in ijj. Then, tree and, bisimulation semantics of quan- 
tified temporal formula \fx ■ Aijj are equivalent. Formally, for any model K , 

K "^T^x ■ Alp K \^i,yx ■ A-il) . 

Proof. The "<^" direction follows from Theorem 2.13. We prove the "=>" 
direction by contradiction. Assume that K \=t Vx • Atp, and K ^f, Vx • Aip. By the 
assumption, any trace that is an x-variant of a trace of K satisfies the path formula 
ij). Furthermore, there exists a structure K' x-bisimilar to K with a trace n & K' 
such that 77 violates the path formula ijj, i.e., n ^ ip. However, tt also belongs to 
some a;- variant of a tree unrolling T{K) of K. Hence, n \= ip, which contradicts the 
assumption. □ 

isSATVacuous, the algorithm for detecting vacuous satisfaction of ACTL* for- 
mulas presented in this article, is very similar to the one suggested by Armoni ct 
al. for detecting trace vacuity for LTL. The main difference is that our algorithm 
is based on changing the model and does not impose any restrictions on the model- 
checking procedure to be used. In contrast, the algorithm of Armoni et al. is based 
on changing the automaton corresponding to the LTL formula and depends on an 
automata-theoretic model-checking procedure. Both of the algorithms can be used 
interchangeably for LTL formulas and have the same time and space complexity. 

Proof-based vacuity. In [Namjoshi 2004], Namjoshi has introduced a proof- 
based variant of vacuity. Although it is called proof vacuity in the original paper, 
we refer to it as forall-proof vacuity. The key idea behind this vacuity is to examine 
the proofs oi K \= tp for a Kripke structure K and a formula ^p. Informally, a 
formula ip is forall-proof vacuous in a subformula iMf il/j is not used in any proof 
oi K \= ^p. Of course, a formal definition depends on the exact interpretation 
of the notion of "proof". In comparison, other definitions of vacuity, as well as 
bisimulation vacuity considered here, are of the "existential" nature: a formula is 
vacuous if there exists a "proof" that does not use a subformula. 

The forall-proof vacuity is semantic. We conjecture that it is invariant under 
bisimulation since mo del- checking proofs can be lifted through a bisimulation rela- 
tion. This would make the forall-proof vacuity robust in the sense of this article, 
and more strict compared with bisimulation vacuity. We also conjecture that in this 
case, exists-proof vacuity may coincide with bisimulation vacuity. At the moment, 
both of these conjectures remain open. 

Exist-proof vacuity has been explored in the context of SAT-based bounded 
model checking (BMC) [Simmonds et al. 2010]. One of the interesting results 
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of this paper is that it is possible that a formula Lp be bisimulation vacuous in if) 
in a model K, yet there is no resolution proof of bounded satisfaction oi K \= 
that does not use ip. This follows from the fact that resolution proofs arc syn- 
tactic (while the proofs used in [Namjoshi 2004] are semantic) and may include 
"semantically- useless" resolutions . 

Beyond vacuity. Vacuity detection can be seen as a "sanity check". It pro- 
vides the user with an additional degree of confidence that the result of the model- 
checking is not trivial. Another useful sanity check is coverage: detecting which 
part of the model was responsible for property satisfaction. It was shown by Kupfer- 
man [Kupferman 2006] that the two problems are closely related and that techniques 
for one problem can be adapted for the other. 

Perhaps more surprisingly, vacuity detection is also closely connected to 3- valued 
abstraction [Gurfinkel and Chechik 2005]. The two techniques have dual goals: in 
vacuity, we check whether any part of the formula can be simplified or "abstracted 
away" ; in abstraction, we look for parts of the model that can be removed with- 
out affecting satisfaction of its properties. In particular, in [Gurfinkel and Chechik 
2005], we use the theoretical developments from this article to identify when thor- 
ough [Bruns and Godefroid 2000] and compositional semantics of 3-valued model- 
checking coincide. 

In this article, we have considered vacuity only from the perspective of the prop- 
erty expressed in temporal logic. A more refined vacuity, or a sanity check, is 
possible when additional information about the intended meaning of a property is 
available. For example, Chechik ct al. [Chechik et al. 2007] use an assumption that 
the verification problem includes a combination of a system and an environment. 
With this assumption, they present a sanity check that detects whether a formula 
is established solely by the environment. Ben-David et al. [Ben-David et al. 2007] 
assume that a property has a well defined pre- and post-condition, and present a 
more refined vacuity check aimed to find formulas whose pre-conditions are never 
satisfied. 

7. CONCLUSION 

Dealing with vacuous or meaningless satisfaction of properties is a recognized prob- 
lem in practical applications of automated verification. Over the years, a number 
of researchers have attempted to formally capture this notion, calling it vacuity. In 
this article, we presented bisimulation vacuity as a uniform definition of vacuity for 
both branching and linear temporal logics. Bisimulation vacuity extends syntac- 
tic vacuity of Beer et al. [Beer et al. 1997] to subformulas of mixed polarity, and 
extends trace vacuity of Armoni et al. [Armoni et al. 2003] to branching temporal 
logics. Following Armoni c!t al. [Armoni et al. 2003], we showed that bisimulation 
vacuity is robust, i.e., independent of logic embedding and of trivial changes to 
the model, and enjoys all of the advantages of trace vacuity. We also showed that 
for many important fragments of temporal logic, vacuity detection is reducible to 
model-checking, and thus leads to simple and practical implementations. In par- 
ticular, this applies to deciding whether a CTL* formula is satisfied vacuously in a 
universal subformula. We then explored the preservation of vacuity by abstraction. 



34 • Arie Gurfinkel and Marsha Chechik 



The contributions of our work are two-fold. From the theoretical perspective, 
we studied the complexity of vacuity detection and showed that for branching- 
time logics, it is as hard as the satisfiability problem. That is, vacuity detection 
is exponentially more expensive than model-checking. This implies that in general 
vacuity detection is not computationally tractable, and there does not exist a simple, 
practical vacuity detection algorithm for the entire logic. 

From the practical perspective, we have identified fragments of temporal logics for 
which vacuity can be detected effectively, and provided the corresponding vacuity 
detection algorithms. Specifically, for these fragments, our algorithms are very 
similar to the one studied by Armoni et al. [Armoni et al. 2003]. Thus, we know 
that they are effective in practice for checking vacuity of LTL properties. Since 
the publication of the conference version of this paper, [Gurfinkel and Chechik 
2004a], we have done further studies with our definition of bisimulation vacuity, 
implementing it in the setting of bounded model-checking [Simmonds et al. 2010] 
and applying it to the IBM Formal Verification Benchmarks Library [Haifa 2007]. 
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